US20180109490A1 - Active and passive method to perform ip to name resolution in organizational environments - Google Patents

Active and passive method to perform ip to name resolution in organizational environments Download PDF

Info

Publication number
US20180109490A1
US20180109490A1 US15/425,702 US201715425702A US2018109490A1 US 20180109490 A1 US20180109490 A1 US 20180109490A1 US 201715425702 A US201715425702 A US 201715425702A US 2018109490 A1 US2018109490 A1 US 2018109490A1
Authority
US
United States
Prior art keywords
address
network
device name
profile
devices
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/425,702
Other versions
US10505894B2 (en
Inventor
Idan Plotnik
Sivan Krigsman
Benny Lakunishok
Tal Arieh Be'ery
Michael Dubinsky
Michael DOLINSKY
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Priority to US15/425,702 priority Critical patent/US10505894B2/en
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DUBINSKY, Michael, PLOTNIK, IDAN, DOLINSKY, Michael, LAKUNISHOK, Benny, BE'ERY, TAL ARIEH, KRIGSMAN, Sivan
Priority to PCT/US2017/055456 priority patent/WO2018071280A1/en
Priority to CN201780063476.1A priority patent/CN109891858A/en
Priority to EP17787296.7A priority patent/EP3526955A1/en
Publication of US20180109490A1 publication Critical patent/US20180109490A1/en
Application granted granted Critical
Publication of US10505894B2 publication Critical patent/US10505894B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Definitions

  • IP addresses are dynamic. In other words, an IP address which is relevant to a computer at one point in time may no longer be relevant to that same computer just a few seconds later.
  • IP addresses may not be informative enough for the IT specialist to investigate but ascertaining the names of those two computers provides additional information when determining whether to investigate. Resolving IP addresses to device names may also be useful in identifying impossible travel scenarios.
  • a method for performing IP to name resolution in organizational environments.
  • the method disclosed herein includes determining IP addresses for devices utilizing a network.
  • the method also includes resolving a first IP address to a first device name and subsequently resolving the first IP address to a second device name.
  • a profile such as a timeline is generated for the first IP address having been resolved to both the first device name and the second device name.
  • the method may also include querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
  • a system for performing IP to name resolution in an enterprise network comprised of a plurality of locations to which devices may access the network.
  • the system disclosed herein includes a network service provider operable to authenticate devices seeking to access the network and a gateway, in communication with the network service provider, operable to monitor communications from the devices accessing the network via the network service provider.
  • the system also includes a center, in communication with the gateway, operable to aggregate connection information from the devices accessing the network and to receive the collected traffic from the gateway.
  • To perform IP to name resolution the center is operable to generate a profile for a first IP address having been resolved to both the first device name and the second device name.
  • the center may be further operable to query the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
  • a computer-readable storage medium including instructions for performing IP to name resolution in an enterprise network.
  • the instructions executed by a processor include determining IP addresses for the devices utilizing the enterprise network.
  • the instructions also include resolving a first IP address to a first device name and subsequently resolving the first IP address to a second device name.
  • the instructions then include generating a profile for the first IP address having been resolved to both the first device name and the second device name, wherein generating the profile of the first IP address comprises generating a timeline including the first and second device names.
  • the instructions then also include querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
  • the instructions may include actively querying a device to ascertain the first IP address and/or collecting traffic over the network from the same device and passively determining from the collected traffic the first IP address associated with the same device.
  • Examples are implemented as a computer process, a computing system, or as a computer program product for one or more computers.
  • the computer program product is a server of a computer system having a computer program comprising instructions for executing a computer process.
  • FIG. 1 illustrates an example environment having an enterprise network utilized in various embodiments
  • FIG. 2 illustrates a flowchart showing general stages involved in performing IP to name resolution in an organizational environment according to at least one embodiment disclosed herein;
  • FIG. 3 illustrates a flowchart corresponding with one of the process blocks of the flowchart of FIG. 2 according to at least one embodiment disclosed herein;
  • FIG. 4 illustrates an exemplary embodiment of physical components for a device/computer utilized in the various embodiments.
  • FIG. 1 illustrates an example computing environment 100 in which the present disclosure may be practiced.
  • an enterprise such as enterprise network 110 is divided into multiple sites 120 .
  • a given site 120 may be accessed remotely by a remote device 130 , which is located externally to the enterprise network 110 or remotely from the sites 120 , or may be accessed locally by a local device 140 , which is located internally to the enterprise network 110 or locally to the sites 120 .
  • a remote device 130 which is located externally to the enterprise network 110 or remotely from the sites 120
  • a local device 140 which is located internally to the enterprise network 110 or locally to the sites 120 .
  • the number of sites 120 , remote devices 130 , and local devices 140 may be greater than or less than what is illustrated in the example environment 100 .
  • the enterprise network 110 provides a single operating environment over which computing devices may interact despite being spread across multiple sites 120 and domains (e.g., for a company, a governmental agency, an educational institution spread over a large geographical area).
  • Each site 120 of the enterprise network 110 includes: a gateway 122 , a network service provider 124 , which is in communication with the gateway 122 and operable to authenticate entities seeking to access the enterprise network 110 , and a monitor 126 which is typically referred to as the center 126 .
  • the center 126 is in communication with the gateway 122 and operable to aggregate connection information from the remote devices 130 to manage entity location data.
  • Gateways 122 and network service providers 124 will be understood by one of skill in the art to include hardware devices and software running on those devices to provide the functionalities thereof.
  • the gateway 122 may be run on dedicated hardware or may be provided via software on a computing device used for several purposes, such as, for example, on the same hardware as the network service provider 124 .
  • the enterprise network 110 may make use of fewer centers 126 than sites 120 ; some or all of the sites 120 may share a center 126 .
  • the remote device 130 and local device 140 are illustrative of a multitude of computing systems including, without limitation, desktop computer systems, wired and wireless computing systems, mobile computing systems (e.g., mobile telephones, netbooks, tablet or slate type computers, notebook computers, and laptop computers), hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, printers, and mainframe computers.
  • mobile computing systems e.g., mobile telephones, netbooks, tablet or slate type computers, notebook computers, and laptop computers
  • hand-held devices e.g., multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, printers, and mainframe computers.
  • Remote devices 130 and local device 140 are operated by users, who may be humans or automated systems (e.g., “bots”) that request connections to one or more sites 120 of the enterprise network 110 .
  • users who may be humans or automated systems (e.g., “bots”) that request connections to one or more sites 120 of the enterprise network 110 .
  • an instance of the SIRI®, GOOGLE NOWTM or CORTANA® electronic assistant may request a connection in response to or in anticipation of queries from a human user.
  • the remote devices 130 and local devices 140 access the enterprise network 110 by being authenticated by a network service provider 124 of a site 120 .
  • Remote devices 130 may connect to a given site 120 via a Virtual Private Network (VPN) connection or other tunnel to initiate a session, whereas local devices 140 connect to the site 120 at which they are located.
  • VPN Virtual Private Network
  • Whether a given device is a remote device 130 or a local device 140 depends on how it connects to the enterprise network 110 , and a given device may be both a remote device 130 and a local device 140 .
  • a user may use a local device 140 while in the office to connect locally to the enterprise network 110 and take that device home and log into the enterprise network 110 , making the device a remote device 130 for the remote session.
  • Entities (devices or user accounts) connect to a given site 120 which is then noted and mapped by the network service provider 124 and the gateway 122 as using the given site 120 .
  • the network packets received by the network service provider 124 from the clients 130 , 140 are replicated and communicated to the gateway 122 .
  • the gateway 122 passively observes the network address information from the devices 130 , 140 connecting to the associated site 120 and will decide whether to store those addresses.
  • the gateway 122 may store the address information associated with the login request.
  • Local devices 140 may also have their connection attempts to the network service provider 124 and activity session logged by the gateway 122 for security purposes. As will be appreciated, local devices 140 are associated with IP addresses internal to the enterprise network 110 , which may be masked for use within the enterprise network 110 , and therefore may produce spurious results.
  • the gateway 122 will note the entities associated with the login and session (e.g., the user account and devices), and will assign the location (calculated or physical) of the site 120 to the entity at the time of login.
  • the gateway 122 may store and use, store and filter, or exclude from storage connection attempts that were rejected by the network service provider 124 (e.g., an incorrect username or password were provided). Similarly, the gateway 122 may store and filter (or block from storage) connection attempts received from a list of addresses that are associated with blocked parties, unreliable geolocation, or whose duration or number of connections meet an unreliability threshold (e.g., multiple short connections may indicate an unstable connection, and may be filtered out or ignored).
  • an unreliability threshold e.g., multiple short connections may indicate an unstable connection, and may be filtered out or ignored.
  • computing environments such as a cloud-based environment having shared processing resources and data provided by server and computer resources as well as cloud storage may also be used for providing users within the enterprise with various capabilities.
  • the network service provider 124 operates to accept communications from the devices 130 , 140 accessing the network 110 .
  • the gateway 122 communicating with the network service provider 124 , operates to aggregate connection information from the devices 130 , 140 accessing the network 110 .
  • all or part of the collected traffic may be tunneled traffic from remote device 130 connected via VPN or other tunnel where users are allowed access to network services.
  • Software agents on the devices 130 , 140 are not required to collect traffic and ascertain the login and logoff information.
  • the gateway 122 , the network service provider 124 and the center 126 may collectively be referred to as a network name resolver (NNR) or just the gateway 122 and the center 126 may referred to as the NNR.
  • NNR network name resolver
  • the NNR via the center 126 is further operable to determine IP addresses for device 130 , 140 utilizing the network 110 from the collected traffic.
  • An IP address may be ascertained by actively querying a device 130 , 140 .
  • one or more requests are sent via network packets utilizing one or more protocols to the device 130 , 140 and if a response is received the current IP address can be determined pursuant to information provided via the particular protocol.
  • the IP address can be passively determined from network traffic collected from the device 130 , 140 on the network 110 pursuant to information available via particular protocols.
  • Authentication packets via one or more authentication protocols can be used to determine whether the collected traffic came from a particular device.
  • the gateway 122 when passively monitoring the traffic from devices 130 , 140 can identify when the user is actively on these devices and, therefore, the IP address upon authenticating each login.
  • Utilization of protocols can include protocols such as NT LAN Manager (NTLM), Kerberos, Lightweight Directory Access Protocol (LDAP) and Network Time Protocol (NTP) or any other suitable authentication protocol.
  • NTLM NT LAN Manager
  • Kerberos Kerberos
  • LDAP Lightweight Directory Access Protocol
  • NTP Network Time Protocol
  • the center 126 or the gateway 122 may include a cache for caching results such as the IP addresses in the network traffic.
  • the cache may be updated with the current state of IP addresses that are discovered and then checked to determine which IP addresses have been identified.
  • the gateway also resolves IP address to device names. For example, initially a first IP address may be resolved to a first device name. Later, the first IP address may be subsequently resolved to a second device name. Thus, the first IP address was assigned to two different devices over time.
  • the center 126 may also generate a profile for a particular IP address which identifies the devices names that have been associated with that IP address over time. The cache is utilized to generate the profile with the first IP address and the first and second device names.
  • High substitution IP addresses may be determined by counting the number of different names on the same IP address. The number of names changes is sometimes referred to as “invalidations” or “invalidation count.” When the number of invalidations reaches a pre-determined amount within a particular time-span the IP address is defined as a high substitution IP address which is then subject to investigation by IT specialists.
  • an IT specialist and other processes are able to identify when the device name associated with a particular IP address changes. Moreover, by querying the profile, the IT specialist or other process is able to determine what device name is associated with a particular IP address during a particular time period.
  • the profile may correspond with a timeline or timetable of device names.
  • IP address are dynamic, subsequent resolving of the same IP addresses may be necessary which yields additional device names. Also, any IP address may be resolved any number of times resulting sometimes in the same or different device names. For example, in addition to identifying and resolving the first IP address as described above, a second IP address may be determined from the same or other devices. The second IP address would then be resolved to identify a third device name and then subsequently resolved again to identify a fourth device name. Thus, a profile of the second IP address can be generated having the third and fourth device names. The profile of the second IP address may be queried to determine whether the third device name or the fourth device name was associated with the second IP address during a period of time.
  • the period of time can correspond with all or a portion of a day or all or a portion of several days.
  • the period of time may correspond with a login session or multiple login sessions.
  • a profile may be generated based on more than one resolved IP address.
  • a profile may include both the first and second IP addresses resolved to the first and second device names as well as the third and fourth device names, respectively.
  • the profile may be generated and displayed in a user interface illustrating the resolved device names and, if desirable, without the corresponding IP address. All or part of the profile may be selectable.
  • the profile may include a line, pie, or bar graph or a histogram indicating the various device names for one or more resolved IP addresses over time.
  • the profile may also depict the length of time each device name is associated with a particular IP address.
  • the profile may indicate whether the IP address was actively queried or which authentication protocol was used to passively identify the IP address.
  • the profile may also disclose devices which one or more users recently logged onto as well as to any resources that were accessed. The profile may also disclose whether each IP address was actively or passively determined.
  • the steps include process block 210 for determining IP addresses for devices utilizing the network.
  • the method 200 includes resolving a first IP address to a first device name and at process block 230 the method 200 includes subsequently resolving the first IP address to a second device name.
  • the method 200 also includes process block 240 for generating a profile of the first IP address having been resolved to both the first and second device names. It is to be understood that additional operations may be performed between the process steps mentioned here or in addition to those steps.
  • Process block 210 for determining IP addresses is described in greater detail in FIG. 3 .
  • the process 210 collects traffic from the devices 130 , 140 .
  • the traffic is preferably passively collected by the gateway 122 via replication from the network service provider 124 .
  • one or more of the devices 130 , 140 may be queried for its IP address.
  • both collection of network traffic and querying of the devices 130 , 140 are performed for ascertaining IP addresses because one or both may fail at determining the correct IP address.
  • either collecting the network traffic or querying for an IP address may be performed without the other.
  • the IP address is determined from the collected traffic and/or as a result of querying a device for its IP address. From process block 218 , the process proceeds to process block 220 as shown in FIG. 2 .
  • the method 200 may also include one or more optional steps.
  • the method 200 may also include process block 250 for updating a cache and utilizing the cache to generate the profile of the IP address.
  • the method 200 may also include process block 252 for querying the profile to determine whether the first or second device name was associated with the first IP address during a period of time.
  • the process 200 may also include process block 254 for resolving a second IP address to third and fourth device names.
  • the process 200 may also include process block 260 for generating a profile for the second IP address having third and fourth device names.
  • the process 200 may also include process block 262 for querying the profile of the second IP address to determine whether the third device name or the fourth device name was associated with the second IP address during a period of time.
  • Embodiments for example, are described above with reference to block diagrams and/or operational illustrations of methods, systems, and computer program products according to embodiments.
  • the functions/acts noted in the blocks may occur out of the order as shown in any flowchart or described herein with reference to the Figures.
  • two steps or processes shown or described in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
  • FIG. 4 and the corresponding discussion are intended to provide a brief, general description of a suitable computing environment in which embodiments may be implemented.
  • program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types.
  • Other computer system configurations may also be used, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like.
  • Distributed computing environments may also be used where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote memory storage devices.
  • the computer environment shown in FIG. 4 includes computing devices that each may be configured as a mobile computing device (e.g. phone, tablet, net book, laptop), server, a desktop, or some other type of computing device and include a central processing unit 310 (“CPU”), a system memory 312 , including a random access memory 314 (“RAM”) and a read-only memory (“ROM”) 316 , and a system bus 318 that couples the memory to the CPU 310 .
  • a mobile computing device e.g. phone, tablet, net book, laptop
  • server e.g. phone, tablet, net book, laptop
  • ROM read-only memory
  • the computer 320 further includes a mass storage device 322 for storing an operating system 324 , attachment manager 326 , messaging application 328 and web browser 330 .
  • the mass storage device 322 is connected to the CPU 10 through a mass storage controller (not shown) connected to the bus 318 .
  • the mass storage device 322 and its associated computer-readable media provide non-volatile storage for the computer 320 .
  • computer-readable media can be any available media that can be accessed by the computer 320 .
  • Computer-readable media may comprise computer storage media and communication media.
  • Computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.
  • Computer storage media includes, but is not limited to, RAM, ROM, Erasable Programmable Read Only Memory (“EPROM”), Electrically Erasable Programmable Read Only Memory (“EEPROM”), flash memory or other solid state memory technology, CD-ROM, digital versatile disks (“DVD”), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer 320 .
  • Computer 320 operates in a networked environment using logical connections to remote computers through a network 332 , such as the Internet.
  • the computer 320 may connect to the network 332 through a network interface unit 334 connected to the bus 318 .
  • the network connection may be wireless and/or wired.
  • the network interface unit 334 may also be utilized to connect to other types of networks and remote computer systems.
  • the computer 320 may also include an input/output controller 336 for receiving and processing input from a number of other devices, including a keyboard, mouse, or electronic stylus (not shown). Similarly, the input/output controller 336 may provide input/output to a scanner, a camera, a display screen 338 , a printer, or other type of input and/or output device. Display 338 is configured to display representations of the messages received via the messaging application 328 .
  • a number of program modules and data files may be stored in the mass storage device 322 and RAM 314 of the computer 320 , including an operating system 324 suitable for controlling the operation of a computer, such as the WINDOWS 10®, WINDOWS 10 Mobile®, or WINDOWS SERVER® operating system from MICROSOFT CORPORATION of Redmond, Wash.
  • the mass storage device 322 and RAM 314 may also store one or more program modules.
  • the mass storage device 322 and the RAM 314 may store one or more application programs, including one or messaging applications 328 and Web browser 330 .
  • Messaging application 328 may be one or more different messaging applications.
  • the computing device may include an email application, an Instant Messaging (IM) application, an SMS, MMS application, a real-time information network (e.g. Twitter® interface), a social networking application, and the like.
  • messaging application 328 is an email application, such as MICROSOFT OUTLOOK®.
  • the messaging application(s) may be client based and/or web based.
  • a network based message service 340 may be used, such as: MICROSOFT WINDOWS LIVE or some other network based email and messaging service.
  • Network share 344 is configured to store content (e.g. documents, spreadsheet, images, video, Web content, and the like) that are accessible to one or more users through IP network 318 .
  • content e.g. documents, spreadsheet, images, video, Web content, and the like
  • network share 344 may store content that is accessible by users located at one or more locations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system and method for performing IP to name resolution in organizational environments. IP addresses are determined for devices utilizing the corporate network. An IP address is resolved to a first device name and then the same IP address is subsequently resolved to a second device name. A profile is generated such as a timeline for the IP address including both the first and second device names. The timeline may be queried to determine whether the first device name or the second device name was associated with the IP address during a period of time.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • The application claims priority to U.S. Provisional Patent Application No. 62/408,014 titled “ACTIVE AND PASSIVE METHOD TO PERFORM IP TO NAME RESOLUTION IN ORGANIZATIONAL ENVIRONMENTS” filed Oct. 13, 2016, the disclosure of which is hereby incorporated by reference in its entirety.
    • BACKGROUND
  • Corporate enterprises are interested in security and IT specialists have the need to locate and identify users and devices. On a network using the Transmission Control Protocol/Internet Protocol (TCP/IP), it is often necessary to convert or resolve an IP address to an actual host or device name. However, IP addresses are dynamic. In other words, an IP address which is relevant to a computer at one point in time may no longer be relevant to that same computer just a few seconds later.
  • Moreover, when a user's login credentials are stolen and a hacker uses those credentials to login at another computer it results in another IP address being associated with that user. The two IP addresses by themselves may not be informative enough for the IT specialist to investigate but ascertaining the names of those two computers provides additional information when determining whether to investigate. Resolving IP addresses to device names may also be useful in identifying impossible travel scenarios.
    • SUMMARY
  • This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description section. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended as an aid in determining the scope of the claimed subject matter.
  • According to one aspect disclosed herein, a method is presented for performing IP to name resolution in organizational environments. The method disclosed herein includes determining IP addresses for devices utilizing a network. The method also includes resolving a first IP address to a first device name and subsequently resolving the first IP address to a second device name. A profile such as a timeline is generated for the first IP address having been resolved to both the first device name and the second device name. The method may also include querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
  • According to another aspect disclosed herein, a system is presented for performing IP to name resolution in an enterprise network comprised of a plurality of locations to which devices may access the network. The system disclosed herein includes a network service provider operable to authenticate devices seeking to access the network and a gateway, in communication with the network service provider, operable to monitor communications from the devices accessing the network via the network service provider. The system also includes a center, in communication with the gateway, operable to aggregate connection information from the devices accessing the network and to receive the collected traffic from the gateway. To perform IP to name resolution the center is operable to generate a profile for a first IP address having been resolved to both the first device name and the second device name. The center may be further operable to query the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
  • According to yet another aspect disclosed herein, a computer-readable storage medium including instructions for performing IP to name resolution in an enterprise network is disclosed. The instructions executed by a processor include determining IP addresses for the devices utilizing the enterprise network. The instructions also include resolving a first IP address to a first device name and subsequently resolving the first IP address to a second device name. The instructions then include generating a profile for the first IP address having been resolved to both the first device name and the second device name, wherein generating the profile of the first IP address comprises generating a timeline including the first and second device names. The instructions then also include querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time. In order to determine IP addresses for the devices utilizing the network, the instructions may include actively querying a device to ascertain the first IP address and/or collecting traffic over the network from the same device and passively determining from the collected traffic the first IP address associated with the same device.
  • Examples are implemented as a computer process, a computing system, or as a computer program product for one or more computers. According to an aspect, the computer program product is a server of a computer system having a computer program comprising instructions for executing a computer process.
  • The details of one or more aspects are set forth in the accompanying drawings and description below. Other features and advantages will be apparent from a reading of the following detailed description and a review of the associated drawings. It is to be understood that the following detailed description is explanatory only and is not restrictive of the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate various aspects. In the drawings:
  • FIG. 1 illustrates an example environment having an enterprise network utilized in various embodiments;
  • FIG. 2 illustrates a flowchart showing general stages involved in performing IP to name resolution in an organizational environment according to at least one embodiment disclosed herein;
  • FIG. 3 illustrates a flowchart corresponding with one of the process blocks of the flowchart of FIG. 2 according to at least one embodiment disclosed herein; and
  • FIG. 4 illustrates an exemplary embodiment of physical components for a device/computer utilized in the various embodiments.
    •  DETAILED DESCRIPTION
  • The following detailed description refers to the accompanying drawings. Wherever possible, the same reference numbers are used in the drawings and the following description refers to the same or similar elements. While examples may be described, modifications, adaptations, and other implementations are possible. For example, substitutions, additions, or modifications may be made to the elements illustrated in the drawings, and the methods described herein may be modified by substituting, reordering, or adding stages to the disclosed methods. Accordingly, the following detailed description is not limiting, but instead, the proper scope is defined by the appended claims. Examples may take the form of a hardware implementation, or an entirely software implementation, or an implementation combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
  • Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • FIG. 1 illustrates an example computing environment 100 in which the present disclosure may be practiced. As illustrated, an enterprise such as enterprise network 110 is divided into multiple sites 120. A given site 120 may be accessed remotely by a remote device 130, which is located externally to the enterprise network 110 or remotely from the sites 120, or may be accessed locally by a local device 140, which is located internally to the enterprise network 110 or locally to the sites 120. Although two sites 120, one remote device 130, and one local device 140 are illustrated, the number of sites 120, remote devices 130, and local devices 140 may be greater than or less than what is illustrated in the example environment 100.
  • The enterprise network 110 provides a single operating environment over which computing devices may interact despite being spread across multiple sites 120 and domains (e.g., for a company, a governmental agency, an educational institution spread over a large geographical area). Each site 120 of the enterprise network 110 includes: a gateway 122, a network service provider 124, which is in communication with the gateway 122 and operable to authenticate entities seeking to access the enterprise network 110, and a monitor 126 which is typically referred to as the center 126. The center 126 is in communication with the gateway 122 and operable to aggregate connection information from the remote devices 130 to manage entity location data. Gateways 122 and network service providers 124 will be understood by one of skill in the art to include hardware devices and software running on those devices to provide the functionalities thereof. In various aspects, the gateway 122 may be run on dedicated hardware or may be provided via software on a computing device used for several purposes, such as, for example, on the same hardware as the network service provider 124. In additional aspects, the enterprise network 110 may make use of fewer centers 126 than sites 120; some or all of the sites 120 may share a center 126.
  • The remote device 130 and local device 140 are illustrative of a multitude of computing systems including, without limitation, desktop computer systems, wired and wireless computing systems, mobile computing systems (e.g., mobile telephones, netbooks, tablet or slate type computers, notebook computers, and laptop computers), hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, printers, and mainframe computers.
  • Remote devices 130 and local device 140 are operated by users, who may be humans or automated systems (e.g., “bots”) that request connections to one or more sites 120 of the enterprise network 110. For example, an instance of the SIRI®, GOOGLE NOW™ or CORTANA® electronic assistant (available from Apple, Inc. of Cupertino, Calif.; Alphabet, Inc. of Mountain View, Calif.; and Microsoft, Corp. of Redmond, Wash., respectively) may request a connection in response to or in anticipation of queries from a human user.
  • The remote devices 130 and local devices 140 access the enterprise network 110 by being authenticated by a network service provider 124 of a site 120. Remote devices 130 may connect to a given site 120 via a Virtual Private Network (VPN) connection or other tunnel to initiate a session, whereas local devices 140 connect to the site 120 at which they are located. Whether a given device is a remote device 130 or a local device 140 depends on how it connects to the enterprise network 110, and a given device may be both a remote device 130 and a local device 140. For example, a user may use a local device 140 while in the office to connect locally to the enterprise network 110 and take that device home and log into the enterprise network 110, making the device a remote device 130 for the remote session. Entities (devices or user accounts) connect to a given site 120 which is then noted and mapped by the network service provider 124 and the gateway 122 as using the given site 120.
  • The network packets received by the network service provider 124 from the clients 130, 140 are replicated and communicated to the gateway 122. Via the replicated network traffic, the gateway 122 passively observes the network address information from the devices 130, 140 connecting to the associated site 120 and will decide whether to store those addresses. Each time a user account successfully logs into the site 120 and establishes a session on the enterprise network 110, the gateway 122 may store the address information associated with the login request.
  • Local devices 140 may also have their connection attempts to the network service provider 124 and activity session logged by the gateway 122 for security purposes. As will be appreciated, local devices 140 are associated with IP addresses internal to the enterprise network 110, which may be masked for use within the enterprise network 110, and therefore may produce spurious results. The gateway 122 will note the entities associated with the login and session (e.g., the user account and devices), and will assign the location (calculated or physical) of the site 120 to the entity at the time of login.
  • In various aspects, the gateway 122 may store and use, store and filter, or exclude from storage connection attempts that were rejected by the network service provider 124 (e.g., an incorrect username or password were provided). Similarly, the gateway 122 may store and filter (or block from storage) connection attempts received from a list of addresses that are associated with blocked parties, unreliable geolocation, or whose duration or number of connections meet an unreliability threshold (e.g., multiple short connections may indicate an unstable connection, and may be filtered out or ignored).
  • Other configurations of computing environments such as a cloud-based environment having shared processing resources and data provided by server and computer resources as well as cloud storage may also be used for providing users within the enterprise with various capabilities.
  • Still referring to the example on-premises computing environment 100 of FIG. 1, the network service provider 124 operates to accept communications from the devices 130, 140 accessing the network 110. The gateway 122, communicating with the network service provider 124, operates to aggregate connection information from the devices 130, 140 accessing the network 110. For example, in one or more embodiments, all or part of the collected traffic may be tunneled traffic from remote device 130 connected via VPN or other tunnel where users are allowed access to network services. Software agents on the devices 130, 140 are not required to collect traffic and ascertain the login and logoff information. The gateway 122, the network service provider 124 and the center 126 may collectively be referred to as a network name resolver (NNR) or just the gateway 122 and the center 126 may referred to as the NNR.
  • The NNR via the center 126 is further operable to determine IP addresses for device 130, 140 utilizing the network 110 from the collected traffic. An IP address may be ascertained by actively querying a device 130, 140. Thus, one or more requests are sent via network packets utilizing one or more protocols to the device 130, 140 and if a response is received the current IP address can be determined pursuant to information provided via the particular protocol. Alternatively, or in addition to actively sending a request to the device 130, 140, the IP address can be passively determined from network traffic collected from the device 130, 140 on the network 110 pursuant to information available via particular protocols. Authentication packets via one or more authentication protocols can be used to determine whether the collected traffic came from a particular device. For example, the gateway 122 when passively monitoring the traffic from devices 130, 140 can identify when the user is actively on these devices and, therefore, the IP address upon authenticating each login. Utilization of protocols can include protocols such as NT LAN Manager (NTLM), Kerberos, Lightweight Directory Access Protocol (LDAP) and Network Time Protocol (NTP) or any other suitable authentication protocol.
  • The center 126 or the gateway 122 may include a cache for caching results such as the IP addresses in the network traffic. The cache may be updated with the current state of IP addresses that are discovered and then checked to determine which IP addresses have been identified. The gateway also resolves IP address to device names. For example, initially a first IP address may be resolved to a first device name. Later, the first IP address may be subsequently resolved to a second device name. Thus, the first IP address was assigned to two different devices over time. The center 126 may also generate a profile for a particular IP address which identifies the devices names that have been associated with that IP address over time. The cache is utilized to generate the profile with the first IP address and the first and second device names.
  • Each resolved device name that is added to the cache is timestamped with the time of resolution. High substitution IP addresses may be determined by counting the number of different names on the same IP address. The number of names changes is sometimes referred to as “invalidations” or “invalidation count.” When the number of invalidations reaches a pre-determined amount within a particular time-span the IP address is defined as a high substitution IP address which is then subject to investigation by IT specialists.
  • From the profile, an IT specialist and other processes are able to identify when the device name associated with a particular IP address changes. Moreover, by querying the profile, the IT specialist or other process is able to determine what device name is associated with a particular IP address during a particular time period. The profile may correspond with a timeline or timetable of device names.
  • Because IP address are dynamic, subsequent resolving of the same IP addresses may be necessary which yields additional device names. Also, any IP address may be resolved any number of times resulting sometimes in the same or different device names. For example, in addition to identifying and resolving the first IP address as described above, a second IP address may be determined from the same or other devices. The second IP address would then be resolved to identify a third device name and then subsequently resolved again to identify a fourth device name. Thus, a profile of the second IP address can be generated having the third and fourth device names. The profile of the second IP address may be queried to determine whether the third device name or the fourth device name was associated with the second IP address during a period of time. For example, the period of time can correspond with all or a portion of a day or all or a portion of several days. Also, the period of time may correspond with a login session or multiple login sessions. In one or more embodiments, a profile may be generated based on more than one resolved IP address. For example, a profile may include both the first and second IP addresses resolved to the first and second device names as well as the third and fourth device names, respectively.
  • The profile may be generated and displayed in a user interface illustrating the resolved device names and, if desirable, without the corresponding IP address. All or part of the profile may be selectable. In one or more examples, the profile may include a line, pie, or bar graph or a histogram indicating the various device names for one or more resolved IP addresses over time. The profile may also depict the length of time each device name is associated with a particular IP address. Moreover, the profile may indicate whether the IP address was actively queried or which authentication protocol was used to passively identify the IP address. The profile may also disclose devices which one or more users recently logged onto as well as to any resources that were accessed. The profile may also disclose whether each IP address was actively or passively determined.
  • The use of the gateway 122 and the center 126 as described above to determine and resolve IP addresses also constitutes an inventive method. In practicing the method 200 for performing IP to name resolution as illustrated in FIGS. 2 and 3, the steps include process block 210 for determining IP addresses for devices utilizing the network. At process block 220 the method 200 includes resolving a first IP address to a first device name and at process block 230 the method 200 includes subsequently resolving the first IP address to a second device name. The method 200 also includes process block 240 for generating a profile of the first IP address having been resolved to both the first and second device names. It is to be understood that additional operations may be performed between the process steps mentioned here or in addition to those steps.
  • Process block 210 for determining IP addresses is described in greater detail in FIG. 3. In process block 212 the process 210 collects traffic from the devices 130, 140. As explained above, the traffic is preferably passively collected by the gateway 122 via replication from the network service provider 124. Also, in process block 214 one or more of the devices 130, 140 may be queried for its IP address. Preferably, both collection of network traffic and querying of the devices 130, 140 are performed for ascertaining IP addresses because one or both may fail at determining the correct IP address. However, in one or more embodiments, either collecting the network traffic or querying for an IP address may be performed without the other. Thus, in process block 216 the IP address is determined from the collected traffic and/or as a result of querying a device for its IP address. From process block 218, the process proceeds to process block 220 as shown in FIG. 2.
  • The method 200 may also include one or more optional steps. Thus, the method 200 may also include process block 250 for updating a cache and utilizing the cache to generate the profile of the IP address. The method 200 may also include process block 252 for querying the profile to determine whether the first or second device name was associated with the first IP address during a period of time. The process 200 may also include process block 254 for resolving a second IP address to third and fourth device names. The process 200 may also include process block 260 for generating a profile for the second IP address having third and fourth device names. The process 200 may also include process block 262 for querying the profile of the second IP address to determine whether the third device name or the fourth device name was associated with the second IP address during a period of time.
  • Embodiments, for example, are described above with reference to block diagrams and/or operational illustrations of methods, systems, and computer program products according to embodiments. The functions/acts noted in the blocks may occur out of the order as shown in any flowchart or described herein with reference to the Figures. For example, two steps or processes shown or described in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
  • FIG. 4 and the corresponding discussion are intended to provide a brief, general description of a suitable computing environment in which embodiments may be implemented. Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Other computer system configurations may also be used, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like. Distributed computing environments may also be used where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
  • Still referring to FIG. 4, an illustrative computer environment for a computer 320 utilized in the various embodiments will be described. The computer environment shown in FIG. 4 includes computing devices that each may be configured as a mobile computing device (e.g. phone, tablet, net book, laptop), server, a desktop, or some other type of computing device and include a central processing unit 310 (“CPU”), a system memory 312, including a random access memory 314 (“RAM”) and a read-only memory (“ROM”) 316, and a system bus 318 that couples the memory to the CPU 310.
  • A basic input/output system containing the basic routines that help to transfer information between elements within the computer, such as during startup, is stored in the ROM 316. The computer 320 further includes a mass storage device 322 for storing an operating system 324, attachment manager 326, messaging application 328 and web browser 330.
  • The mass storage device 322 is connected to the CPU 10 through a mass storage controller (not shown) connected to the bus 318. The mass storage device 322 and its associated computer-readable media provide non-volatile storage for the computer 320. Although the description of computer-readable media contained herein refers to a mass storage device, such as a hard disk or CD-ROM drive, the computer-readable media can be any available media that can be accessed by the computer 320.
  • By way of example, and not limitation, computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, Erasable Programmable Read Only Memory (“EPROM”), Electrically Erasable Programmable Read Only Memory (“EEPROM”), flash memory or other solid state memory technology, CD-ROM, digital versatile disks (“DVD”), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer 320.
  • Computer 320 operates in a networked environment using logical connections to remote computers through a network 332, such as the Internet. The computer 320 may connect to the network 332 through a network interface unit 334 connected to the bus 318. The network connection may be wireless and/or wired. The network interface unit 334 may also be utilized to connect to other types of networks and remote computer systems. The computer 320 may also include an input/output controller 336 for receiving and processing input from a number of other devices, including a keyboard, mouse, or electronic stylus (not shown). Similarly, the input/output controller 336 may provide input/output to a scanner, a camera, a display screen 338, a printer, or other type of input and/or output device. Display 338 is configured to display representations of the messages received via the messaging application 328.
  • As mentioned briefly above, a number of program modules and data files may be stored in the mass storage device 322 and RAM 314 of the computer 320, including an operating system 324 suitable for controlling the operation of a computer, such as the WINDOWS 10®, WINDOWS 10 Mobile®, or WINDOWS SERVER® operating system from MICROSOFT CORPORATION of Redmond, Wash. The mass storage device 322 and RAM 314 may also store one or more program modules. In particular, the mass storage device 322 and the RAM 314 may store one or more application programs, including one or messaging applications 328 and Web browser 330.
  • User interface 342 is used by a user to interact with applications and documents. Messaging application 328 may be one or more different messaging applications. For example, the computing device may include an email application, an Instant Messaging (IM) application, an SMS, MMS application, a real-time information network (e.g. Twitter® interface), a social networking application, and the like. According to an embodiment, messaging application 328 is an email application, such as MICROSOFT OUTLOOK®. The messaging application(s) may be client based and/or web based. For example, a network based message service 340 may be used, such as: MICROSOFT WINDOWS LIVE or some other network based email and messaging service.
  • Network share 344 is configured to store content (e.g. documents, spreadsheet, images, video, Web content, and the like) that are accessible to one or more users through IP network 318. For example, network share 344 may store content that is accessible by users located at one or more locations.
  • The description and illustration of one or more examples provided in this application are not intended to limit or restrict the scope as claimed in any way. The aspects, examples, and details provided in this application are considered sufficient to convey possession and enable others to make and use the best mode. Implementations should not be construed as being limited to any aspect, example, or detail provided in this application. Regardless of whether shown and described in combination or separately, the various features (both structural and methodological) are intended to be selectively included or omitted to produce an example with a particular set of features. Having been provided with the description and illustration of the present application, one skilled in the art may envision variations, modifications, and alternate examples falling within the spirit of the broader aspects of the general inventive concept embodied in this application that do not depart from the broader scope.

Claims (20)

What is claimed is:
1. A method for performing IP to name resolution in organizational environments, comprising:
determining IP addresses for a plurality of devices utilizing a network;
resolving a first IP address to a first device name; and
subsequently resolving the first IP address to a second device name.
2. The method of claim 1 wherein determining IP addresses for the plurality of devices utilizing the network comprises querying a device to ascertain the first IP address.
3. The method of claim 1 wherein determining IP addresses for the plurality of devices utilizing the network comprises collecting traffic over the network from the plurality of devices and determining from the collected traffic the first IP address associated with a device.
4. The method of claim 1 wherein determining IP addresses for the plurality of devices utilizing the network comprises both:
actively querying a device to ascertain the first IP address; and
passively collecting traffic over the network from the same device and determining from the collected traffic the first IP address is associated with the same device.
5. The method of claim 1 further comprising passively collecting traffic over the network from the plurality of devices.
6. The method of claim 1 wherein determining IP addresses for a plurality of devices utilizing a network comprising passively collecting traffic over the network from the plurality of devices and determining the first IP address from packets of the collected traffic.
7. The method of claim 1 further comprising generating a profile for the first IP address having been resolved to both the first device name and the second device name.
8. The method of claim 7 further comprising querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
9. The method of claim 7 further comprising:
resolving a second IP address to a third device name;
subsequently resolving the second IP address to a fourth device name; and
generating a profile for the second IP address having been resolved to the third device name and the fourth device name.
10. The method of claim 7 further comprising querying the profile of the second IP address to determine whether the third device name or the fourth device name was associated with the second IP address during a period of time.
11. The method of claim 7 wherein generating a profile further comprises generating the profile to also include a second IP address having been resolved to at least one device name.
12. The method of claim 11 further comprising querying the profile to determine devices names associated with the first and second IP addresses during one or more periods of time.
13. The method of claim 7 further comprising updating a cache and utilizing the cache to generate the profile with the first IP address and the first and second device names.
14. The method of claim 7 wherein generating the profile for the first IP address comprises generating a timeline including the first and second device names.
15. The method of claim 7 further comprising generating a second profile for a second IP address and a timeline including third and fourth device names.
16. A system including a processor and a memory device including processor executable instruction for performing IP to name resolution in an enterprise network comprised of a plurality of locations to which devices may access the network, comprising:
a network service provider operable to authenticate devices seeking to access the network;
a gateway, in communication with the network service provider, operable to monitor communications from a plurality of devices accessing the network via the network service provider; and
a center, in communication with the gateway, operable to aggregate connection information from the devices accessing the network and to receive the collected traffic from the gateway, and wherein to perform IP to name resolution the center is operable to generate a profile for a first IP address having been resolved to both the first device name and the second device name.
17. The system of claim 16 wherein the center is further operable to query the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
18. The system of claim 16 wherein to determine IP addresses for the plurality of devices utilizing the network a device is queried to ascertain the first IP address.
19. The system of claim 16 wherein to determine IP addresses for the plurality of devices utilizing the network traffic from the plurality of devices is collected and the first IP address associated with a device is determined from the collected traffic.
20. A computer-readable storage medium including instructions for performing IP to name resolution in an enterprise network, which when executed by a processor are operable to:
determining IP addresses for a plurality of devices utilizing an enterprise network by at least one of actively querying a device to ascertain a first IP address and passively collecting traffic over the network from the same device and determining from the collected traffic the first IP address is associated with the same device;
resolving the first IP address to a first device name;
subsequently resolving the first IP address to a second device name;
generating a profile for the first IP address having been resolved to both the first device name and the second device name, wherein generating the profile of the first IP address comprises generating a timeline including the first and second device names; and
querying the profile to determine whether the first device name or the second device name was associated with the first IP address during a period of time.
US15/425,702 2016-10-13 2017-02-06 Active and passive method to perform IP to name resolution in organizational environments Active 2037-05-16 US10505894B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US15/425,702 US10505894B2 (en) 2016-10-13 2017-02-06 Active and passive method to perform IP to name resolution in organizational environments
PCT/US2017/055456 WO2018071280A1 (en) 2016-10-13 2017-10-06 Active and passive method for ip to name resolution
CN201780063476.1A CN109891858A (en) 2016-10-13 2017-10-06 Actively and passively method for IP to name resolving
EP17787296.7A EP3526955A1 (en) 2016-10-13 2017-10-06 Active and passive method for ip to name resolution

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662408014P 2016-10-13 2016-10-13
US15/425,702 US10505894B2 (en) 2016-10-13 2017-02-06 Active and passive method to perform IP to name resolution in organizational environments

Publications (2)

Publication Number Publication Date
US20180109490A1 true US20180109490A1 (en) 2018-04-19
US10505894B2 US10505894B2 (en) 2019-12-10

Family

ID=61904863

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/425,702 Active 2037-05-16 US10505894B2 (en) 2016-10-13 2017-02-06 Active and passive method to perform IP to name resolution in organizational environments

Country Status (4)

Country Link
US (1) US10505894B2 (en)
EP (1) EP3526955A1 (en)
CN (1) CN109891858A (en)
WO (1) WO2018071280A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210029055A1 (en) * 2019-07-22 2021-01-28 International Business Machines Corporation Internet activity compartmentalization

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7480710B1 (en) * 2004-07-13 2009-01-20 Cisco Technology, Inc. Resolving duplication of IP addresses in IP networks
US20100015181A1 (en) * 2005-03-10 2010-01-21 Helen Claire Flick-Smith Vaccine formulation

Family Cites Families (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917808A (en) 1997-01-17 1999-06-29 Fluke Corporation Method of identifying device types on a local area network using passive monitoring
US6122639A (en) 1997-12-23 2000-09-19 Cisco Technology, Inc. Network device information collection and change detection
US6757740B1 (en) * 1999-05-03 2004-06-29 Digital Envoy, Inc. Systems and methods for determining collecting and using geographic locations of internet users
US7574499B1 (en) * 2000-07-19 2009-08-11 Akamai Technologies, Inc. Global traffic management system using IP anycast routing and dynamic load-balancing
US7725602B2 (en) * 2000-07-19 2010-05-25 Akamai Technologies, Inc. Domain name resolution using a distributed DNS network
US20020087722A1 (en) * 2000-12-29 2002-07-04 Ragula Systems D/B/A/ Fatpipe Networks Domain name resolution making IP address selections in response to connection status when multiple connections are present
US7174390B2 (en) 2001-04-20 2007-02-06 Egenera, Inc. Address resolution protocol system and method in a virtual network
US20030154306A1 (en) * 2002-02-11 2003-08-14 Perry Stephen Hastings System and method to proxy inbound connections to privately addressed hosts
CN1435783A (en) * 2002-10-22 2003-08-13 交大铭泰(北京)软件有限公司 Reverse domain name analysis method
JP2005051473A (en) * 2003-07-28 2005-02-24 Sony Corp Network interconnection device, network interconnection method, name solving device, and computer program
US7673049B2 (en) * 2004-04-19 2010-03-02 Brian Dinello Network security system
US7797410B2 (en) * 2004-04-29 2010-09-14 Euro Convergence, Sarl Reverse IP method and system
US8065408B2 (en) 2004-06-30 2011-11-22 Nokia, Inc. Method and system for dynamic device address management
US9055092B2 (en) 2004-09-10 2015-06-09 Riverbed Technology, Inc. Method and system for grouping diagnostic information
TWI264205B (en) 2004-09-10 2006-10-11 Z Com Inc Method for automatically changing and accessing IP address
US7769851B1 (en) 2005-01-27 2010-08-03 Juniper Networks, Inc. Application-layer monitoring and profiling network traffic
EP1907940A4 (en) 2005-06-29 2012-02-08 Univ Boston Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions
US7633855B2 (en) * 2005-11-03 2009-12-15 Cisco Technology, Inc. System and method for resolving address conflicts in a network
JP3920305B1 (en) 2005-12-12 2007-05-30 株式会社日立コミュニケーションテクノロジー Packet transfer device
US8160062B2 (en) * 2006-01-31 2012-04-17 Microsoft Corporation Network connectivity determination based on passive analysis of connection-oriented path information
US8185953B2 (en) 2007-03-08 2012-05-22 Extrahop Networks, Inc. Detecting anomalous network application behavior
US7689671B2 (en) * 2007-03-09 2010-03-30 International Business Machines Corporation System and method for multiple IP addresses during domain name resolution
US7720936B2 (en) * 2007-03-12 2010-05-18 Citrix Systems, Inc. Systems and methods of freshening and prefreshening a DNS cache
US8316440B1 (en) * 2007-10-30 2012-11-20 Trend Micro, Inc. System for detecting change of name-to-IP resolution
US20090172192A1 (en) * 2007-12-28 2009-07-02 Christian Michael F Mapless Global Traffic Load Balancing Via Anycast
US7930428B2 (en) * 2008-11-11 2011-04-19 Barracuda Networks Inc Verification of DNS accuracy in cache poisoning
US8812012B2 (en) * 2008-12-16 2014-08-19 The Nielsen Company (Us), Llc Methods and apparatus for associating media devices with a demographic composition of a geographic area
CN101854340B (en) 2009-04-03 2015-04-01 瞻博网络公司 Behavior based communication analysis carried out based on access control information
WO2010123385A1 (en) 2009-04-24 2010-10-28 Tomizone Limited Identifying and tracking users in network communications
US8769057B1 (en) * 2009-05-07 2014-07-01 Sprint Communications Company L.P. Employing a hierarchy of servers to resolve fractional IP addresses
CN101888313B (en) * 2009-05-15 2013-06-19 北京神州绿盟信息安全科技股份有限公司 Main machine detection system and method
JP5288204B2 (en) * 2009-08-10 2013-09-11 株式会社日立製作所 Gateway system and control method
US20110305160A1 (en) * 2010-06-14 2011-12-15 G2, Inc. System, device, and terminal for resolving an obfuscated network address of a network device within a network
US8578034B2 (en) 2010-11-24 2013-11-05 Verizon Patent And Licensing Inc. Optimized network device discovery
US8774056B2 (en) 2011-09-28 2014-07-08 Schneider Electric USA, Inc. Automated device discovery on a network
EP2615773B1 (en) * 2012-01-10 2015-12-16 Thomson Licensing Method and device for timestamping data and method and device for verification of a timestamp
WO2013177311A1 (en) 2012-05-23 2013-11-28 Observable Networks, Llc System and method for continuous device profiling (cdp)
US9246874B2 (en) * 2012-06-29 2016-01-26 Verizon Patent And Licensing Inc. Virtual domain name system
EP3618357B1 (en) * 2012-09-17 2022-06-01 Netsweeper (Barbados) Inc. Network address and hostname mapping in policy service
US9154507B2 (en) 2012-10-15 2015-10-06 International Business Machines Corporation Automated role and entitlements mining using network observations
US20140172947A1 (en) 2012-12-17 2014-06-19 Benu Networks, Inc. Cloud-based virtual local networks
US9378361B1 (en) 2012-12-31 2016-06-28 Emc Corporation Anomaly sensor framework for detecting advanced persistent threat attacks
US9749336B1 (en) * 2013-02-26 2017-08-29 Palo Alto Networks, Inc. Malware domain detection using passive DNS
US8626912B1 (en) 2013-03-15 2014-01-07 Extrahop Networks, Inc. Automated passive discovery of applications
CN103220379A (en) * 2013-05-10 2013-07-24 广东睿江科技有限公司 Domain name reverse-resolution method and device
WO2015138508A1 (en) 2014-03-11 2015-09-17 Vectra Networks, Inc. Method and system for detecting bot behavior
US9854057B2 (en) 2014-05-06 2017-12-26 International Business Machines Corporation Network data collection and response system
US9571452B2 (en) 2014-07-01 2017-02-14 Sophos Limited Deploying a security policy based on domain names
US10091312B1 (en) * 2014-10-14 2018-10-02 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US9621431B1 (en) 2014-12-23 2017-04-11 EMC IP Holding Company LLC Classification techniques to identify network entity types and determine network topologies
US9838352B2 (en) 2015-05-20 2017-12-05 Cisco Technology, Inc. Endpoint device identification based on determined network behavior
US10462124B2 (en) 2016-12-30 2019-10-29 Google Llc Authenticated session management across multiple electronic devices using a virtual session manager

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7480710B1 (en) * 2004-07-13 2009-01-20 Cisco Technology, Inc. Resolving duplication of IP addresses in IP networks
US20100015181A1 (en) * 2005-03-10 2010-01-21 Helen Claire Flick-Smith Vaccine formulation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210029055A1 (en) * 2019-07-22 2021-01-28 International Business Machines Corporation Internet activity compartmentalization
US11979334B2 (en) * 2019-07-22 2024-05-07 International Business Machines Corporation Internet activity compartmentalization

Also Published As

Publication number Publication date
CN109891858A (en) 2019-06-14
WO2018071280A1 (en) 2018-04-19
US10505894B2 (en) 2019-12-10
EP3526955A1 (en) 2019-08-21

Similar Documents

Publication Publication Date Title
US11818228B2 (en) Establishing user's presence on internal on-premises network over time using network signals
US11310132B2 (en) System and method of identifying internet-facing assets
US10771492B2 (en) Enterprise graph method of threat detection
CN114097207B (en) Intelligent agent switcher
US8140506B2 (en) File sharing based on social network
US10263977B2 (en) Directory driven mailbox migrations
US7904601B2 (en) Internet service login using preexisting services
US9065817B2 (en) Authenticating linked accounts
US9268956B2 (en) Online-monitoring agent, system, and method for improved detection and monitoring of online accounts
JP2020039137A (en) Network flow log for multi-tenant environment
US10623397B2 (en) Aggregator technology without usernames and passwords
RU2580432C1 (en) Method for processing a request from a potential unauthorised user to access resource and server used therein
US8838679B2 (en) Providing state service for online application users
US20130067062A1 (en) Correlation of Users to IP Address Lease Events
US20190147178A1 (en) Systems and methods for generating previews of content protected by authentication protocols
US20180343317A1 (en) Discovery Of Network Device Roles Based On Application Level Protocol Parsing In Organizational Environments
US20140082138A1 (en) Communication system, communication apparatus, communication method, and storage medium
US9071650B1 (en) Method, system and computer program product for enforcing access controls to features and subfeatures on uncontrolled web application
US10715413B2 (en) Timestamp-based session association
US8190746B2 (en) Explicit casualty control in a client/server system
US10505894B2 (en) Active and passive method to perform IP to name resolution in organizational environments
US10819816B1 (en) Investigating and securing communications with applications having unknown attributes
US20210099428A1 (en) Systems and methods for determining asset importance in security risk management
US10848485B2 (en) Method and apparatus for a social network score system communicably connected to an ID-less and password-less authentication system
US8682985B2 (en) Message tracking between organizations

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PLOTNIK, IDAN;KRIGSMAN, SIVAN;LAKUNISHOK, BENNY;AND OTHERS;SIGNING DATES FROM 20170129 TO 20170205;REEL/FRAME:041185/0523

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4